PMP Training: Plan Risk Management
PMP® Exam Prep: Plan Risk Management
The PM PrepCast is your complete PMP certification training. With over 50 hours of in-depth lessons it is one of the best PMP classes online. Please enjoy this free lesson:
The first minute of this free lesson is a quick preface about PrepCast features and functionality. Feel free to fast forward.
This definition is taken from the Glossary of Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK® Guide) - Sixth Edition, Project Management Institute Inc., 2017.
One of the most important jobs a project manager has is to successfully complete her or his projects. But per definition, projects are usually something that has never been done before and so we are faced with risk. Managing risk helps us achieve project success.
We explore the process of Plan Risk Management in detail. We discuss its importance and then review all inputs, tools & techniques, as well as outputs one by one. You need to know this for your PMP exam.
Until Next Time,
Cornelius Fichtner, PMP, CSM
President, OSP International LLC
Hello, and welcome to this free lesson from The Project Management PrepCast™. I am Cornelius Fichtner and I am the lead instructor. Thank you for your interest in our Project Management Professional (PMP)® Exam training course.
For over 45,000 students, The PM PrepCast™ was the right choice. This free session here will allow you to experience what the course is like and you’ll see that it is the right choice for you too.
The greatest technological benefit that The PM PrepCast™ gives you over other online courses is the fact that it is a podcast that you can choose to download. This means that you cannot only watch online but even better. You can save all 150 lessons on your tablet or on your phone! In that way, your PMP® training course is always in your pocket no matter where you are even if you are offline.
Preparing for your PMP® Exam has never been easier. Like I said, it’s the right choice! Please visit www.pm-prepcast.com for all the details.
And now, on with the show.
[01:06] Lesson Overview
Hello and welcome to The Project Management PrepCast™ where the PMP® Exam gets easier and easier. I am your instructor, Cornelius Fichtner, and in this lesson we review the concepts and you determine how to approach plan and ultimately execute risk management-related activities on your project. Specifically, we discuss steps in planning such as choosing proper visibility and defining and communicating how we manage risks.
We examine process details like our ITTO’s. We look at what the risk Management plan contains and why it is important. We’ll also open up the risk breakdown structure to see what it is and how it is used and how and why probability and impact are defined in the risk management plan.
[02:07] You are Here
Here is our usual process groups and knowledge area mapping. We are project risk management and as the process name implies, we are in the planning process group for this knowledge area and obviously plan risk management, the process here is defined as the process of defining how to conduct risk management activities for a project.
[02:33] Follow Along on Pages: 401-408
If you would like to follow along, please turn to pages 401 to 408 in the PMBOK® Guide.
[02:41] Main Concept
The main concept that you should remember is that in this process, we are not interested in planning how you manage the actual individual risks. Instead, we are interested in planning how to approach and execute the risk management activities on your project.
For instance, how will we identify our risks? How will define probability and impact of risks that we have identified? What techniques will we employ to define risk response strategies? And how will we monitor our risks during the life of our project? In other words, we want to create the risk management plan.
[03:26] Benefit or Risk Planning
What are some of the benefits of risk planning? Well by planning your risk management approach early in the project life cycle, you ensure that risk management receives the appropriate visibility to the stakeholders and corresponds with the size and strategic importance of your project. You would very likely plan for high visibility of risk in a large strategic project.
On the other hand, you would aim for low visibility on a project that is a fourth in a series of six similar small projects. This ensures the risk management plan activities receive the attention that is proportional to the project’s importance to the company. Again, remember, risk planning needs to start early on in the project and may need to be revisited if there is any significant scope change.
Let us dive into the inputs of this process…
[04:23] Plan Risk Management
And they are the project charter, the project management plan, and interestingly enough for plan risk management, we use all components of the plan as inputs whereas from the project documents, the stakeholder register is most important.
Then we also use the Enterprise environmental factors and some organizational process assets. Let’s look at why these are significant in helping us create our risk management plan.
[04:53] Project Charter
First, we have the Project charter as an input, which supplies the following high-level information, the initial high-level risks that are identified on the project. The project description that helps us identify risks based on what is and what is not included in the project.
Requirements that can shed light on how much risk is inherent in our project. For example, many complex requirements means high risk while simple requirements usually imply less risk. And then assumptions and constraints, both directly relate to the level and type of risk in a project. What do you think happens when one of our assumptions proves invalid later on? Well risk increases.
[5:44] Project Management Plan
Next, we have the information contained in the project management plan, which influences that plan risk management process. In preparing the risk management plan, all management plans and baselines must be considered for the risk management plan to be consistent with them. So let’s review then some of the reasons why these subsidiary components within the project management plan are important.
First, the more complex our cost management plan is, the more inherent risk there is on something going wrong in managing our cost. We would want to know the aggressiveness of schedule objectives within the schedule management plan as an indication of the risk of meeting those objectives.
And the communications management plan can help us answer questions on how many and with whom we have to communicate. And since one of the biggest problems on many projects is poor communication, there is a strong connection between planning communication and decreasing risk.
Also all baselines such as the scope, schedule and cost baseline should be taken into consideration. The methodology outlined in each of these plans is essential since these are all risk-affected areas.
[7:07] Project Documents
Next, we have the project documents and an important one among these project documents is the stakeholder register. The lessons about project communication and stakeholder management explain how the stakeholder register contains details about the project’s stakeholders. So why is the stakeholder register important to risk management planning? Well this document informs the project manager based on power, role and level of interest, which stakeholders are likely to impact the project. Stakeholders with high-potential impact likely need and expect to be involved in the planning of risk management activities since they typically can provide or limit resources; their ability to influence risk is substantial.
Secondly, the stakeholder register contains the classification of the project stakeholders. Are they supporters, resistors, or champions? Risk planning includes information about who may cause risks like a resistor and who can reduce risk like a champion? In essence, this information helps the project manager to associate a level of risk to a stakeholder. The better the project knows their stakeholders and level of influence, the more effective and purposeful risk planning is. It is also useful in determining roles and responsibilities for managing the risk on the project, as well as setting the risk threshold for the project.
[8:44] Commonly Used EEFs
The relevant information from the Enterprise environmental factors that we want as an input here are the risk attitudes of both the stakeholders, as well as the sponsoring organization. There are three things that influence these risk attitudes.
First, how much uncertainty will an organization take in anticipating a reward from a project? In other words, what is their risk appetite? Second, what is the measurable amount of acceptable risk or in other words, what is the risk tolerance, the degree or volume of risk an organization will withstand? And third, at what point does my risk become unacceptable? What is my risk threshold? For example, it may be acceptable if a project were 5% over-budget but not be 15% over-budget. Knowing these areas and amounts of risk an organization is willing to accept helps to identify the impact of risk and determine what strategies to use.
[9:54] How Much Risk Would You Accept?
So, how much risk would you accept? Well depending on what company you work for, you would likely have a different answer. A young and dynamic start-up company is very likely to take on high risk. They are willing to try out new technology to boldly go where no man has gone before in order to reap the greatest rewards. They are risk seekers.
Whereas older, established companies on the other hand may be more reluctant to behaving this way. They may be conservative and have less tolerance towards risk. They tend to be risk-averse and avoid enormous levels of risk.
Again, knowing how much risk an organization is willing to accept is key in risk planning. And this once again shows that it is interesting to know what inputs we have to these processes but understanding why we have them and how to use them to our benefit on the projects. That’s really key.
[11:01] Commonly Used OPAs
It is worth noting that companies themselves have a certain approach in how they manage risk and this approach is documented and defined in the organizational process assets. Let’s take a look at a few beginning with the company’s policies and procedures manual that documents how risk management is to be performed.
A company might have defined risk categories or even a complete listing of possible risks on certain project types possibly organized in a risk breakdown structure.
Some companies have a glossary with definitions of risk terms that you can use to educate your stakeholders in risk management. Or a company may also have standard templates for risk management activities. This may be as simple as just a template for your risk register.
But wait there is more because we also have to consider the company’s documented roles and responsibilities for risk management or the company’s definition on levels of authority when it comes to making decisions on risks. And of course let’s not forget that your company may have ready-made risk management plans.
Lastly, a wealth of information about risk management can be obtained from reviewing project lessons learned repositories and interviewing experienced project managers. The good thing about organizational process assets is that they exist. They represent best practices within your company from past projects and make your life easier. They make your life easier because you don’t have to reinvent all these assets from scratch.
[12:50] Tools and Techniques
We are moving on to the tools and techniques to help us plan for our ascent.
[12:56] Plan Risk Management
There are three tools and techniques in the Plan Risk Management process that used the inputs that we just described. These tools and techniques are expert judgment, data analysis and meetings. Normally, we review these in the order that you see them here. But this time, let’s start with data analysis and then discuss the other two together.
[13:21] Data Analysis
Data analysis is used to establish the overall risk management context. One important technique is stakeholder analysis, which is used to determine the risk appetite of the stakeholder again, determining how much uncertainty they will take on.
The key to understanding more about the overall risk management context requires you to determine who cares, what do they care about and how much do they care about it. To determine the answers to who, what and how much, you must engage your stakeholders and map their issues. The commitment they demonstrate to managing risk and their ownership of the risk management context also has to be defined.
This assessment permits you to allocate the appropriate resources to risk management planning and an ability to address risk. Early in establishing your context, it is critical to establish assessment criteria, which reflect an organization’s risk appetite and tolerance.
[14:25] Risk Management Meetings
For your risk management meetings to be effective, you rely on expert judgment to lay the foundation for a comprehensive risk management plan. A successful risk planning team includes the project manager, select members of the project team, stakeholders and experts from within or without your company. The idea is to invite those people that have a certain responsibility on the project or expertise when it comes to risk management. And for course leverage their expert judgment.
And what do you in these meetings? Well you define your fundamental strategies of how risk management is performed on the project. For example, what is your plan for conduction risk management activities? And you may even define certain risk-related deliverables that need to be included in the WBS. This may lead to the realization that you need additional activities on your schedule, which in turn leads to additional components on your budget, which touches cost management. And all of this work is documented in a single output.
And that means, we are moving on to the outputs. Well what will we have when we finish our climb-up-the-risk hill?
[15:47] Plan Risk Management
You can probably guess what that single output is. It is of course the Risk management plan. Like other plans, the Risk management plan is a subsidiary plan of the overall project management plan. It can be broadly framed or detailed and it can be formal or informal. It’s all based on the needs of your project. The risk management plan is vital to communicate to the stakeholders and get their approval and support to ensure proper execution of the risk management activities.
[16:25] What is the Plan?
Your risk management plan may include all or some of these elements here beginning with the risk strategy, methodology, which describes approaches, tools or where your data, your risk data comes from, roles and responsibilities in executing the risk management process. You could have funding and also timing and risk categories, which are a means for grouping individual project risk. For example with the risk breakdown structure.
Then we talked a couple of times about the risk appetite. And then there is also the risk probability and impact. These are levels that are specific to the project and reflect the risk appetite and thresholds of your organization and key stakeholders. These are often plotted into a matrix and used in the qualitative risk analysis. And lastly also, documentation requirements.
As you can see, there can be many elements in the risk management plan. At its core, the risk management plan tells you how risk management is structured and performed on your project. Again, we are not talking about how to respond to individual risks. We are talking about how to manage the overall approach to risk management as a major process on your project. Now that we have seen what is in the plan, let’s examine a few points in more detail.
[18:00] Risk Breakdown Structure
I think a mentioned a couple of times already that a common way to structure risk categories is with a risk breakdown structure, RBS. Like all the other breakdown structures, the RBS is a graphical, hierarchical structure of your risk categories. You could have high-level categories such as business infrastructure, technical or project management and these are then again subdivided into low-level categories.
An organization may have a generic RBS to be used for all projects or each project has a tailored RBS with many more or fewer levels. It all really depends on your project.
The RBS is a great tool to make people aware that there are a multitude of sources where risks may arise and it helps put risk management at the forefront of people’s thoughts.
[19:18] Define Probability and Impact
A crucial step in risk management planning requires the project manager and the risk management team to create specific definitions for levels of probability and impact for the project. These definitions are documented in the risk management plan and serve as a basis for future risk management activities. These definitions are therefore required before we can perform the qualitative and quantitative analyses of risks, which we cover in another lesson.
And as with many things, one size doesn’t fit all when it comes to defining probability and impact. While we apply the organizational process assets, we benefit from the experience of other project managers and risk management experts to help us create definitions that are specific and tailored to our project’s context.
Since risk can have both positive and negative impact, our definitions and the tools we use to define probability and impact should be able to account for each type of impact. So positive and negative.
And lastly, relative terms like high, medium and low and numerical values are commonly used both individually and together in defining levels or probability and impact.
[20:49] Cost Impact Definition Table
Let’s look at an example. A very helpful approach for defining probability and impact is the use of a lookup table. Let’s assume that our company uses a five point scale to define the impact that the risk may have on the overall project. We now have to define what the ratings of risk 1, 2, 3, 4, 5 actually means. Let’s see how this would work in such a lookup table. Here we go.
In this table, we have incorporated columns for a numerical rating, relative description and specific criteria. To illustrate, let’s start here with the risk that has been given an impact rating of 1 on the project cost.
This rating and its impact is classified as very low and the specific criteria that defines the impact as equal to 1 or very low is a cost deviation of less than or equal to 3% of the total cost.
Similarly, if we have a risk that is rated 2, that means here in our table that this rating and its impact to cost is described as low since the cost overrun was above 3% but does not exceed 10% of total budget.
And as you may expect, the rest simply follows in a very similar fashion. You may create or use existing tables that apply to all risk-affected areas like time, scope and quality just to name a few.
Probability and impact matrix or table is a very common example where both probability and impact are considered in combination. The levels and criteria for such a matrix are often set by the organization, again, based on a variety of factors such as risk tolerance and attitudes. We discuss this table in greater detail in the lesson on perform qualitative risk analysis.
And that’s it! And here are the key takeaways from this process. First of all, plan risk management is a process that you start early on in your project. We are not interested in planning how we manage the actual individual risk. Instead, we are interested in planning how to approach and execute the risk management activities on our project.
By planning your risk management approach early on, we ensure that risk management receives the appropriate visibility to the stakeholders and it corresponds with the size and strategic importance of the project in the organization overall.
Risk attitudes and risk tolerance of both the company and our stakeholders are an important input. And the risk management plan is our only output. It tells us how risk management is structured and performed on the project.
And that concludes our look at plan risk management.
Until next time.
[End of presentation]